The 1st Line of Defence (Business, Operations, IT and APAC CDO) has the responsibility to imbed data protection regulations and Group policies and guidelines in the internal organisation and processes within its perimeter (e.g. privacy by design, PIA, security measures, etc.).

The DPO is positioned in the 2nd line of Defence (within RISK function), and will constitute his/her DPO office for the scope outlined under his/her responsibility. The DPO must supervise the compliance with data protection regulations and Group policies and guidelines, ensure second level controls and give the necessary guidance to support the 1st Line of Defence.

In order to ensure consistency with the Group's management structure, an APAC DPO will be appointed . The APAC DPO will be in the reporting line of the Head of Operational Risk and Control (2nd line of defence), interface with the APAC CDO and will have a functional reporting line to Group DPO.

For their territories’ scope of responsibility, the DPO will be supported by Data Protection Correspondents (DPC) positioned in key APAC countries..

Responsibilities

A DPO will be appointed on a full-time basis with following key direct responsibilities within their scope:

· Review and advise on implementation of Privacy by design principles from the design stage and during the life-cycle into all projects, products, services, activities, processes and systems

· Provide advice on Privacy Impact Assessment (PIA) (e.g. whether or not to carry out a PIA, what methodology to follow, what safeguards to apply to mitigate any risks to the rights and interests of individuals) and monitor that PIAs are performed correctly

- Review and advise on rules regarding record of processing activities

- Monitor that the record of processing activities (“Register”) is kept up to date, filed under the responsibility of the controller / processor, in line with defined rules and make it available upon Data Protection Authorities request

· Build and implement an awareness program

- Contribute to the promotion of a data protection culture

- Ensure that training provided to the employees involved in processing activities are sufficient and refreshed on a periodic basis to maintain data protection awareness

E. Define and operate the second level controls and independent testing on personal data protection framework in order to monitor compliance with personal data protection legislation and internal policies and guidelines:

· Define and perform risk-based second level of controls on processes related to personal data protection.

· Assess effectiveness of the 1st Line of Defence (business and IT) controls on Personal Data Protection based on Generic Control Plans defined by the Group

This will involve 2LoD controls testing against Local and Group Data Protection requirements for: personal data processed across the organisation; high risk activities, new products and activities which involve personal data and testing of IT systems in addition to testing of business operations

- Expert knowledge of the APAC data protection legislation (At least one of the following countries as well as ability and interest to get familiar with the rest: Australia, New Zealand, China, Hong Kong, India, Indonesia, Japan, Malaysia, Philippines, Singapore, South Korea, Taiwan, Thailand, Vietnam)

- Knowledge of internal organisation and processes

- Understanding of data processing operations, including business applications and data use

- Experience in interacting with regulators

- Experience in transversal management and working

- Experience in project management and change management

- Experience of advising on regulatory requirements, in particular the ability to explain in “plain English”

- Strong knowledge and interest in Information Technology, digital and new technologies and understanding of information security principles and controls

Behaviour and soft skills

Data Protection Officer should demonstrate:

- Independency, objectivity and integrity.

- Excellent writing and communication skills – allowing him/her to act as a communicator across the bank

- Ability to lead, engage and work transversally

- Ability to manage and develop teams’ knowledge on data protection and privacy

- Fluent in English (mandatory), national language (language of the country where DPO exercises)

- Demonstrating a high-level of commitment and self-motivation, combined with enthusiasm and a genuine interest in order to be a successful Data Protection Officer